Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "The Federal Trade Commission proposed allowing consumers to opt out of having their online activities tracked on Wednesday as part of the agency's preliminary report on consumer privacy. FTC chairman Jon Leibowitz said he would prefer for the makers of popular web browsers to come up with a setting on their own that would allow consumers to opt out of having their browsing and search habits tracked."

What if the site is being hosted in China? My guess is that if you are up to no good, or doing unethical things, you move offshore. Just like they route telemarketing calls through the Bahamas, etc. because the No Call List doesn't apply to foreign nations.

I think the real solution is to have government not get involved and individuals need to instead create methods to block being tracked, preferably open source. I don't want to depend on

...but is there any evidence that it actually brings in much money for anyone else?

I doesn't need to bring in tangible amounts of money to producers. It only needs to provide enough stats for marketers to convince producers to keep paying marketers. And that is how the web goes round.

A while back I worked on what was going to be a local newspaper's first website, so I got to learn a bit about their business. Their 'dirty little secret' was that, while the newspaper could rightly say that their free paper reached over 95% of all households in the county, and that the actual readership was quite high (IIRC something like 70%), they _never_ publicized the probability that an ad on Page X would be seen by anybody. The probability was very close to zero, except for certain specialties like the front of the weekly car ads section, and parts of the classifieds. They actually had some numbers, such as what percentage of households actually opened the paper, actually looked at the first page of the sport section, etc. But none of that was given to the advertisers.

It's "[citation needed]"... you can turn in your geek card at the door.

Also, tracking brings lots of revenue for advertising companies. Advertising companies are then hired by practically every company on the Fortune 500 list. (or done in-house, which essentially yields the same result) More advertising for the aforementioned companies leads to more revenue. Those Fortune 500 companies give jobs/paychecks to you and me. (because now that they have more revenue, they can branch out into other areas and c

Any slashdotters which have turned off access logging on their webservers? Or at least turned to anonymous access logging (like mod_removeip for Apache)?

Exactly. Further, if people would stop to think about "why" companies would want to track you, they would realize it's not such a bad thing. If you ask me, you lose the right to complain about sucky products when you let companies stop collecting data one what interests you. I mean, we've all read 1984, but this isn't about black helicopters, it's about market research and making products that people actually want to buy. People on/. are far too paranoid.

I'm not convinced the ones doing the tracking are the ones manufacturing the products.

I mean, I've worked in manufacturing and the stiffs in those places are the same ones you go fishing or golfing with. They are just not all that awesome when it comes to knowing exactly what their customers want.

The tracking companies may be amassing a pile of data about you, but since all they do is sell data, (again to the pointy-haired bosses of the manufacturers) they aren't in a position to detect or service any majo

Grocery stores already have video cameras aimed at every register. They also have digital logs of what items were purchased at what register at any given time.

Would you be okay with grocery stores sending their footage to India (or wherever) to have cheap labor analyze the tapes and match race, age, and gender with a timestamp (in order to match it with products) and subsequently selling the statistics to manufacturers? The process could be automated fairly well with software

I'm all for a standard GUI for doing so, but the "other side" (those who do the tracking) must also cooperate by actually observing the setting (no matter how it should be delivered to them; perhaps via HTTP header). If observing it would be mandatory, then hooray; otherwise, meh.

First off, let me remind everyone that cookies left in your browser's cookie cache can only be read by the domain that gave them to you. So maps.google.com can read cookies issued by mail.google.com but www.amazon.com cannot read or in any way know about cookies issued from www.newegg.com. Cookies were designed that way for the exact reason of protecting privacy. Additionally, cookies that you receive on sites that you have not logged in to are not linked to your na

Didn't read TFA, but maybe it's not a list. An HTTP header announcing the preference for not being tracked would do the trick, as long as the other party were obliged to actually listen to your setting.

Didn't read TFA, but maybe it's not a list. An HTTP header announcing the preference for not being tracked would do the trick, as long as the other party were obliged to actually listen to your setting.

An HTTP header announcing the preference for not being tracked would do the trick, as long as the other party were obliged to actually listen to your setting.

But in the real world such a header would just become another bit to go into your 'unique fingerprint' for the advertisers. And it would mean that advertisers would be even more eager to send you crap.

Exactly, right now tracking is ubiquitus. The value/destructiveness of tracking does not increase linearly with added trackers. One site tracking you is just running it's own site. Two sites sharing tracking are not much of a problem. As the number of sites increase, it becomes a real problem. If cross site tracking were illegal, you would still get a few sites doing it, but the would be few and far between, and thus not a problem. As with any conspiracy, the bigger it is the harder it is to keep con

Sounds like a pretty exciting internet at that point. You might as well be browsing in a text-only browser like Lynx. And even if you follow all of the steps above, you can still be tracked pretty effectively by the specific configuration of your browser.

Now, that being said, I'm still in favor of tracking (to an extent). It's an important part of product development (amongst o

Barring plugins with cookie-like features and actual tracking software you've elected to install, it's actually pretty hard to separate out your traffic from everybody else's.

You can keep track of a linear session by passing state in the URL but you lose it as soon as the guy goes somewhere else and comes back. You can do some fuzzy matching based on behavioral patterns but it takes a lot of computing power and the confidence drops off quickly.

A lot of legit apps would not work. Logging in would not work on a lot of the web, for example. I really care about my email.

And your straw man argument sucks. Having a log that is cleaned after 24h, after establishing that a user at some IP is not doing anything suspicious, is one thing. Tracking the user in order to identify behavioral patterns is another.

Would adding a drop rule in iptables count as not honoring this 24h cleaning time that you speak of? Technically that would be a permanent record of someone that "opted out" of leaving any kind of record.

Make that 30 days if you want network security folk not to laugh at you. 365 if you want any support from law enforcement. Better yet, change your focus to a "do not sell list" where passing a standardized header serves as legal notice that the receiving server is forbidden from sharing any information about the transaction with a third party, specifically or in aggregate. You won't get that either, but at least your only opposition would be from marketing folk.

In my personal experience, the FTC's Do Not Call list has actually worked pretty well. I used to get considerable numbers of telemarketing calls every night, but about 6 months after adding all my numbers to the list, they've almost completely stopped. And on the very, very rare occasion that I do get one, a quick mention that this number is on the Federal Do Not Call list sends them into a near panic state, scrambling to hang up.

I'll second this. In addition, the Direct Marketing Association and pre-approved credit card opt-outs have worked very well. I get almost zero junk mail. See this for details:
World Privacy Forum's Top Ten Opt Outs [worldprivacyforum.org]

In my personal experience, the FTC's Do Not Call list has actually worked pretty well.

That's because a personal phone call from a live human costs alot and anyone who uses this method must target it's customer base very well to be cost-effective. In turn, it's almost certainly a US business, operating on US soil, and care about the FTC. If they violate the DNC list, you incur a high cost, and are likely to do something about it, like report them.

No so on the Internets. Tracking is 100% automatic, and non-intrusive. Only a minority of the sites doing the tracking are from your country (this i

Have you read what it's about?
It's about tracking mechanisms getting smarter, if it only depended on our IP it would only be a simple problem, the newer tracking systems use a lot more variables to follow you across different IP's and even different appliances.

What's different about this is that telemarketers who call you already know who you are: they have your phone number. The only way a web site would be able to comply with a Do No Track database is for you to identify yourself unambiguously to them, information they do not have, and which would not be safe to hand over, unsecured, to any web site that asks for it.

I have a last name that's a common woman's first name (I'm male) and my first name is a common last name. Telemarketers invariably tripped over the name and asked for "last first" or Mrs. "firstname" instead, emphasizing they didn't know me. I also had one telemarketer insist "I'm a concerned neighbor just down the street in, um..." and then completely mangled the pronunciation of the 5-letter name of my town. It made it abundantly clear he was lying.

What happens is that once a person does an "opt-out" there are some teeth in the recourse that an individual can take.

The trouble I have is that you would first have to make yourself trackable in order to opt out. We also need to stipulate what things can and cannot be used in tracking to make such a law workable. As we know, there are a LOT of sneaky ways to track users. We need to also limit how people are tracked. Also, we need to have proof positive that we

"a quick mention that this number is on the Federal Do Not Call list sends them into a near panic state, scrambling to hang up"

Really? I've telemarketed before in my dark past. When people told me they were on the do not call list I would say 'I don't care' and would go into the pitch. Then they'd hang up on me. It was just fun when people thought they could thwart me by being smarmy or clever. I hated my job and all those who I had to deal with on the phone. So anybody who tried stuff like the 'do not call

Actually, the FTC 's Do Not Call list made things much worse for me. I never got calls even before because I was on the Direct Mail Association's do not call list. Ever since the FTC Do Not Call low was passed, I've been getting calls from politicians, pollsters, charities, etc. Namely all the groups that were exempted from the law and just use it as a Please Call Me Repeatedly list.

The Do-not-call list provided exceptions for politicians and non profits. Will we just see currently existing unscrupulous entities just create associated 501c3's to get around the tracking block? Just like there is a loophole for the do not call list, there will be one for this. Assuming, of course, it ever comes into being.

The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.

I'm all for this, I think it would be wonderful and beautiful to just change a setting in my browser and never have to question whether I'm being surveiled or not. It'll never work though. Corporations want what they want, and they'll find a way to track you regardless. I don't even think that making it illegal to track people's online habits would really stop them. The federal "Do not call" list only works up to a point, if someone doesn't give a shit about the law and thinks they can get away with it, the

Lets face it, the local do not call registers barely work. I manage to report about 8 companies a year to our Telecommunications Industry Ombudsman and the Australian Competition and Consumer Commission about calls I get to our number. The fines are usually quite hefty especially for repeat offenders. Somehow I doubt that companies will bow down and obey instructions from an international company who's laws don't govern them.

Koreans typically don't tend to care quite as much about tracking Americans' browsing to advertise at them. Most websites most Americans visit are owned and operated by American companies, as it turns out.

The do not call list works GREAT, but only if you block all calls without caller ID information. Most of the people who will spam you with valid caller ID info will make an effort not to call you back if you are on the list and you tell them so, especially if you announce to them that you are reporting them for the call, and then DO SO. There's a webform, it's not tricky.

My brain's a little slow today... how would this work? How would this be enforced? Since when can websites tell exactly who we are (which I am assuming will be required to verify that the user is or is not on the list)?

There are two answers, work as in successfully meet objectives, and work as in good enough for govt work.

The work as in meet objectives, would be package a browser addon basically privoxy aka www.privoxy.org, or mandate the installation of something like privoxy with all browser installations. If the EU can demand winders not ship with "X" maybe the FTC can demand winders ship with a working privoxy install.

The work as in good enough for govt work, would be add a line to the browser string, "please dont tr

More to the point, how am I supposed to know when someone is violating it?

I can tell when someone fails to use the do-not-call registry or ignores a do-not-email checkbox setting, but tracking me as I browse is a passive activity. Am I supposed to search through my cookies? And how will I know the tracking cookies from the session and configuration persistence cookies?

Take the person who proposed this and send them to Pakistan to look for the tallest man there. Doesn't seem like there are enough people do

I have a land line (it comes over my cable connection) because we only have one mobile phone and use the 400 minutes as our long distance service thus it's cheaper for us to have family call us on the land line. Aside from the handful of calls we get from family the rest of the time it's from scammers "trying to lower your interest rate on your credit card," who hang up when you press them for who they are or companies who do not follow the DNC list.

These companies know they have little chance of being prosecuted under the law so I end up with numerous phone calls and fights with supervisors of these companies to not call me again. Yet they keep trying to sell newspaper subscriptions and rug cleanings to me.

So after three phone calls from one company I finally get enough information to file a complaint with the FCC. I submit that complaint and it's rejected three different times for lack of information. While the FCC agent attempts to be helpful the entire process is cumbersome and difficult. I lack any confidence the calls will stop or the company will pay and even if they do the fine will be minimal and they'll just consider it the cost of doing business.

---

So back to this particular new trend. Yeah, great, no more tracking online. It's a lot easier for me to block that stuff online while still enjoying a relatively easy browsing experience than it is for me to stop calls from ringing my phone which would include turning the ringer off (no, I'm not paying for call block or caller ID).

If the government wants to do this, and I'd love them to, they need to ensure that the laws, policies and enforcement are viable and actually benefit people rather than creating a whole new useless bureaucracy which spends money and doesn't accomplish a damn thing.

Besides the simple fact that there currently isn't a good way to implement an opt-out database (yet) and doing so on a national level between several websites would be a nearly impossible nightmare, you also have to consider the fact that:

1) There is no good way to enforce this as the legal boundaries end at our borders. There wouldn't be much to stop offshore data collection.

2) The most harmful types of data collection are those people that do it for malicious purposes like phishing. I really don't think a US law is going to stop them anyways.

-also-
3) What constitutes "tracking?" There are web aps and addons that track your usage of a page for simple things like counting the number of visitors, or much more complex things like demographic account collection to tune web ads to best suit you. There are also versions that do this that don't permanently record your information and just go on a session-by-session basis. If you even have the capability of differentiating what tracking is occurring (which is nearly impossible in the first place) where does the line get drawn?

I came here to say this.
Me: "Don't track me."
Them: "Thanks for visiting our website! In order to know whether or not we should track you, please tell us who you are."
In order for this to work, the web would have to abandon any pretense of anonymity. Which do you think is the lesser of two evils? I know where my vote goes.

Yeah. I can't think of a way to make this system work, except using a database which would constitute the kind of personally-identified tracking system that it seeks to prevent. In order to get website maintainers to comply with these rules, the government would have to provide them with exactly that data which they're being forbidden to collect, and then, I don't know - put them on the honour system, make them pinky-swear not to use it for anything but the intended purpose? Is that the plan?

A do not track list is quite different than a do not call list. The latter is about companies calling you, wasting your time and phone minutes when you're not interested. Gathering demographics doesn't waste your time. Put another way, you have no way of knowing whether the no track list is even being followed, whereas you can easily tell if the do not call list is being followed, because you get annoying calls.

I'm not saying that tracking you on the web isn't offensive, just that it's fundamentally diffe

So basically we can opt not to be tracked by the companies who actually decide to follow an optional opt-out list? Doesn't that mean I'm only opting out of the companies I'm least bothered about? Worse, make being a (relative) good-guy even less profitable?

Without legislative backing it's at best toothless and at worst counter-productive.

Even legislative backing may be prone to unintended consequences as companies leave for less regulated shores. However I'd expect there would be more of a positive influen

I suspect this list would also be used be used by various agencies to flag people who are engaged in "undesireable" activity. "Only those with something to hide will be using the Do Not Track" feature.

*sigh*

This all at the same time that they are requiring ISP's to keep 2 year records of IP logs.

So how does this new "Do Not Track" bill merge with the other bill. I presume that everyone will just sign up under the 2 year bill and say "we need to keep records" and are thus exempt from the DoNotTrack feature.

The Internet Stopping Adults Facilitating the Exploitation of Today's Youth (SAFETY) Act of 2009 also known as H.R. 1076 and S.436 would require providers of "electronic communication or remote computing services" to "retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user."[22]

I don't want to be tracked. Unfortunately i don't like where this is going either. This isn't like a do not call list where you can register a distinct end point and prove that someone called you when you were clearly on the list. The tracking isn't based on a hard identification. It's a fuzzy id. They are trying to aggregate actions made by some checksum built out of whatever info you can get from a client of a web app. How can either side prove that you are or are not that checksum?

While it's entirely possible for something like this to happen and the FTC to use large fines to make US companies avoid some tracking, tracking provides LARGE benefits to businesses.

I'd immediately expect many ad networks to host their ads from oversees so they could claim not to be under the jurisdiction of this law. How will the FTC stop that? And what if Google Ireland decides to host all the Google ads? Are you going to go after the parent company?

To make this work, wouldn't people have to be on a system where they'd lose their anonymity online? How else could they guarantee who's on a "do not track me" list without knowing who you were when you were online?

Okay, so it probably isn't quite as accurate, but how would this play against the things that webmasters need but which can also be used for tracking - i.e. Apache log files and the like? I can do all sorts of path following and user tracking with logs if I wanted, just by analysing the log files from a normal server. It won't be quite as accurate as something tracked with a cookie, but then even cookies aren't bullet-proof.

It's not possible unless you limit valid uses of technologies such as cookies, too. But if some sort of a law were introduced requiring those who do the tracking to observe your setting, then it'd be possible; they'd simply have to ignore your request for their "tracking service" if you supply a header such as "X-DNT: True".

As someone else has already noted, this only works if the website you are visiting is willing to abide by those policies.
Do Not Call list is one thing-those calls usually originate from companies that are based in the US (even if the call center is not), and it is also fairly easy to realize if someone has called you in violation of this list.
It is more difficult for a website. How do they expect to enforce this on a website owned by a company that is not US? In addition, its a lot harder to tell if a w

I'd be interested to see if this is even possible. From what I understand, which is somewhat limited, it is virtually impossible to completely wipe browser information as it is sometimes required to act a certain way when interfacing with a website.

Using HTTP headers and browser data during a session to support features, degrade gracefully, etc, is not really a problem.The "store, collate, correlate and share with others" cycle is the real problem.

ORLY? Try not to be tracked by Facebook. The Facebook and twitter icons on http://slashdot.org/ [slashdot.org] come from a.fsdn.comYou could try and block that URL, but then slashdot looks pretty messy as there are some CSS files as well.

ORLY? Try not to be tracked by Facebook. The Facebook and twitter icons on http://slashdot.org/ [slashdot.org] come from a.fsdn.comYou could try and block that URL, but then slashdot looks pretty messy as there are some CSS files as well.

Perhaps you were just trolling for the LOLs, but I looked at the source and the icon pix are served up by fsdn not FB and the href doesn't seem to contain any user info.

Remember how spam used to mean unsolicited commercial email, but AOL users called any email that they didn't want, "spam", essentially equating the delete button with the report spam button, and all the trouble that caused? I think we might be seeing the meaning of "tracking" change from recording your online activities toward something mor

And don't think that the government wouldn't use the same mandated mechanism to keep its agents from being tracked when they are investigating you. Then if you notice them doing it, they can arrest you for noticing them.